An Effective Naming Heterogeneity Resolution for XACML Policy Evaluation in a Distributed Environment

Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Naming heterogeneity between the attribute values of a request and a policy is common due to syntactic variations and terminological variations, particularly among organizations of a distributed environment. Existing policy evaluation engines employ a simple string equal matching function in evaluating the similarity between the attribute values of a request and a policy, which are inaccurate, since only exact match is considered similar. This work proposes several matching functions which are not limited to the string equal matching function that aim to resolve various types of naming heterogeneity. Our proposed solution is also capable of supporting symmetrical architecture applications, in which the organization can negotiate with the users for the release of their resources and properties that raise privacy concerns. The effectiveness of the proposed matching functions on real XACML policies, designed for universities, conference management, and the health care domain, is evaluated. The results show that the proposed solution has successfully achieved higher percentages of Recall and F-measure compared with the standard Sun’s XACML implementation, with our improvement, these measures gained up to 70% and 57%, respectively.

[1]  Rajkumar Buyya,et al.  Interconnected Cloud Computing Environments , 2014, ACM Comput. Surv..

[2]  Jerry den Hartog,et al.  Formal analysis of XACML policies using SMT , 2017, Comput. Secur..

[3]  Ousmane Amadou Dia,et al.  A Practical Framework for Policy Composition and Conflict Resolution , 2012, Int. J. Secur. Softw. Eng..

[4]  Jérôme Euzenat,et al.  A Survey of Schema-Based Matching Approaches , 2005, J. Data Semant..

[5]  Azzam Mourad,et al.  From model-driven specification to design-level set-based analysis of XACML policies , 2016, Comput. Electr. Eng..

[6]  George A. Miller,et al.  WordNet: A Lexical Database for English , 1995, HLT.

[7]  Chang-Dong Wang,et al.  Establishment of rule dictionary for efficient XACML policy management , 2019, Knowl. Based Syst..

[8]  Fan Deng,et al.  Elimination of policy conflict to improve the PDP evaluation performance , 2017, J. Netw. Comput. Appl..

[9]  Christian Schläger,et al.  Supporting Attribute-based Access Control in Authorization and Authentication Infrastructures with Ontologies , 2007, J. Softw..

[10]  Azzam Mourad,et al.  SBA-XACML: Set-based approach providing efficient policy decision process for accessing Web services , 2015, Expert Syst. Appl..

[11]  Cees T. A. M. de Laat,et al.  Decision Diagrams for XACML Policy Evaluation and Management , 2015, Comput. Secur..

[12]  Mohsen Rezvani,et al.  XACBench: a XACML policy benchmark , 2020, Soft Computing.

[13]  Elisa Bertino,et al.  XACML Policy Integration Algorithms , 2008, TSEC.

[14]  Lei Liu,et al.  An Iterative Method of Extracting Chinese ISA Relations for Ontology Learning , 2010, J. Comput..

[15]  Latifur Khan,et al.  Ontology based policy interoperability in geo-spatial domain , 2011, Comput. Stand. Interfaces.

[16]  Maria Ganzha,et al.  Semantically Enriched Data Access Policies in eHealth , 2016, Journal of Medical Systems.

[17]  Jorge Lobo,et al.  Fine-grained integration of access control policies , 2011, Comput. Secur..

[18]  Xiaoqian Wei,et al.  Establishment of attribute bitmaps for efficient XACML policy evaluation , 2018, Knowl. Based Syst..

[19]  Ed Dawson,et al.  A policy model for access control using building information models , 2018, Int. J. Crit. Infrastructure Prot..

[20]  Díaz-LópezDaniel,et al.  Managing XACML systems in distributed environments through Meta-Policies , 2015 .